lezzo.org/secretwiki/rete.html

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2023-05-30 Tue 15:37 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Lezzo secret wiki</title>
<meta name="author" content="bparodi" />
<meta name="generator" content="Org Mode" />
<link rel="stylesheet" type="text/css" href="./stylesheet.css"/>
</head>
<body>
<div id="content" class="content">
<h2>[ Lezzo secret wiki ]</a></h2>
<div id="outline-container-org60adc6c" class="outline-2">
<h2 id="org60adc6c"><b>~</b> Lezzonet: la configurazione di rete</h2>
<div class="outline-text-2" id="text-org60adc6c">
</div>
<div id="outline-container-orga431ca7" class="outline-3">
<h3 id="orga431ca7">QoS</h3>
<div class="outline-text-3" id="text-orga431ca7">
<p>
There is already a qos script in the forge. It should be self documenting so
check that.
To facilitate qos, we are using two network interfaces:
</p>
<ul class="org-ul">
<li>eth1 (10.0.1.0) where the hosts with higher priorities go</li>
<li>eth2 (10.0.2.0) used by the hosts which traffic is less important and can be deprioritized</li>
</ul>
</div>
</div>

<div id="outline-container-orgedd80af" class="outline-3">
<h3 id="orgedd80af">Firewall</h3>
<div class="outline-text-3" id="text-orgedd80af">
</div>
<div id="outline-container-orgf146da2" class="outline-4">
<h4 id="orgf146da2">Router</h4>
<div class="outline-text-4" id="text-orgf146da2">
<p>
Let's break down the router configuration into two parts: port forwarding (NAT) and blocked ports, protocols, and routes.
</p>

<p>
Port forwarding allows incoming connections from the internet to be redirected
to specific devices or services on your local network. This is typically done
using Network Address Translation (NAT) in the router configuration. NAT is
responsible for translating the IP addresses and ports of incoming packets to
the appropriate internal IP addresses and ports.
</p>

<p>
We use iptables is used to configure the port forwarding rules. The iptables
command, specifically in the nat table (-t nat), is used to set up the rules
that define which incoming ports should be forwarded to which internal IP
addresses and ports.
</p>

<pre class="example">
# iptables -t nat -L -n
# 10.0.1.3 is the client that hosts the main webserver with the reverse proxy
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.0.1.3:80
DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.0.1.3:443

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           
</pre>
<p>
Using iptables commands:
</p>
<pre class="example">
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.0.1.3 -j SNAT --to-source 10.0.1.1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.3
iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
</pre>
<p>
Let's explain this as a list:
</p>
<ol class="org-ol">
<li>add a rule to the NAT table (-t nat). It specifies that
outgoing TCP traffic (-p tcp) with a destination port of 80 (&#x2013;dport 80) and
a destination IP address of 10.0.1.3 (-d 10.0.1.3) should be SNAT (Source
Network Address Translation) translated. The source IP address is changed to
10.0.1.1 (&#x2013;to-source 10.0.1.1). This rule is typically used to rewrite the
source IP address of outgoing traffic to appear as if it's coming from the
router itself</li>
<li>add a rule to the PREROUTING chain of the NAT table. It
specifies that incoming TCP traffic (-p tcp) with a destination port of 80
(&#x2013;dport 80) coming from the eth0 interface (-i eth0) should be DNAT
(Destination Network Address Translation) translated. The destination IP
address is changed to 10.0.1.3 (&#x2013;to-destination 10.0.1.3). This rule is used
to forward incoming traffic from port 80 to the specified internal IP
address</li>
<li>add a rule to the FORWARD chain. It allows traffic from
eth1 interface (-i eth1) to eth0 interface (-o eth0) that is already
established or related (-m conntrack &#x2013;ctstate ESTABLISHED,RELATED). This
rule is used to permit incoming responses or related traffic for connections
initiated from the internal network</li>
<li>add a rule to the FORWARD chain. It allows traffic from eth0 interface (-i
eth0) to eth1 interface (-o eth1) that is already established or related (-m
conntrack &#x2013;ctstate ESTABLISHED,RELATED). This rule is used to permit
incoming responses or related traffic for connections initiated from the
external network.</li>
<li>add a rule to the FORWARD chain. It allows incoming TCP traffic (-p tcp &#x2013;syn
&#x2013;dport 80) from eth0 interface to eth1 interface that is in a NEW state (-m
conntrack &#x2013;ctstate NEW). This rule is used to permit incoming new TCP
connections to port 80 on the internal network.</li>
</ol>


<p>
Alongside port forwarding, we need to block certain ports, protocols, or routes
to enhance security or control network traffic. This is where ufw (Uncomplicated
Firewall) comes into play.
</p>
<pre class="example">
     To                         Action      From
     --                         ------      ----
23185                      ALLOW IN    Anywhere                  
22                         ALLOW IN    Anywhere                  
1:65535/tcp on eth1        ALLOW IN    Anywhere                  
1:65535/udp on eth1        ALLOW IN    Anywhere                  
1:65535/tcp on eth2        ALLOW IN    Anywhere      
1:65535/udp on eth2        ALLOW IN    Anywhere                  
1:65535/tcp on lezzonet    ALLOW IN    Anywhere                  
1:65535/udp on lezzonet    ALLOW IN    Anywhere                  
</pre>
<p>
We use the default rules of ufw for the firewall and in addition we allow all
traffic on the two lan interfaces eth1 and eth2 and the wireguard interface
lezzonet. We also allow the ssh protocol and traffic into the wireguard port 23185.
</p>
</div>
</div>
<div id="outline-container-org75e3150" class="outline-4">
<h4 id="org75e3150">Clients</h4>
<div class="outline-text-4" id="text-org75e3150">
<p>
The piracy machine is the only one directly exposed to the network because of
the vpn. This is the ufw configuration:
</p>
<pre class="example">
# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere on eth0           ALLOW IN    Anywhere                  
[ 2] Anywhere                   ALLOW OUT   Anywhere on eth0           (out)
[ 3] 11000:12000/tcp            ALLOW IN    Anywhere                  
[ 4] 11000:12000/udp            ALLOW IN    Anywhere                  
</pre>
<p>
Basically open every port from 11000 to 12000 and have programs listen on those
ports. In addition to that, the main client that is Transmission is very hungry
so I rate limited it using its own configuration options.
</p>

<p>
Some example commands:
</p>
<pre class="example">
ufw allow from any to any port 23185
ufw allow ssh
ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto udb
ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto tcp
</pre>
</div>
</div>
</div>
</div>
</div>
<div id="postamble" class="status">
<p class="author">Author: bparodi</p>
<p class="date">Created: 2023-05-30 Tue 15:37</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
</html>
secret wiki 2023-05-25 17:39:20 +01:00			`<?xml version="1.0" encoding="utf-8"?>`
			`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"`
			`"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">`
			`<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">`
			`<head>`
secretwiki 2023-05-30 14:37:22 +01:00			`<!-- 2023-05-30 Tue 15:37 -->`
secret wiki 2023-05-25 17:39:20 +01:00			`<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />`
			`<meta name="viewport" content="width=device-width, initial-scale=1" />`
			`<title>Lezzo secret wiki</title>`
			`<meta name="author" content="bparodi" />`
			`<meta name="generator" content="Org Mode" />`
			`<link rel="stylesheet" type="text/css" href="./stylesheet.css"/>`
			`</head>`
			`<body>`
			`<div id="content" class="content">`
			`<h2>[ Lezzo secret wiki ]</a></h2>`
secretwiki 2023-05-30 14:37:22 +01:00			`<div id="outline-container-org60adc6c" class="outline-2">`
			`<h2 id="org60adc6c"><b>~</b> Lezzonet: la configurazione di rete</h2>`
			`<div class="outline-text-2" id="text-org60adc6c">`
secret wiki 2023-05-25 17:39:20 +01:00			`</div>`
secretwiki 2023-05-30 14:37:22 +01:00			`<div id="outline-container-orga431ca7" class="outline-3">`
			`<h3 id="orga431ca7">QoS</h3>`
			`<div class="outline-text-3" id="text-orga431ca7">`
secret wiki 2023-05-25 17:39:20 +01:00			`<p>`
			`There is already a qos script in the forge. It should be self documenting so`
			`check that.`
sito quartaparete 2023-05-28 12:17:15 +01:00			`To facilitate qos, we are using two network interfaces:`
secret wiki 2023-05-25 17:39:20 +01:00			`</p>`
sito quartaparete 2023-05-28 12:17:15 +01:00			`<ul class="org-ul">`
			`<li>eth1 (10.0.1.0) where the hosts with higher priorities go</li>`
			`<li>eth2 (10.0.2.0) used by the hosts which traffic is less important and can be deprioritized</li>`
			`</ul>`
secret wiki 2023-05-25 17:39:20 +01:00			`</div>`
			`</div>`

secretwiki 2023-05-30 14:37:22 +01:00			`<div id="outline-container-orgedd80af" class="outline-3">`
			`<h3 id="orgedd80af">Firewall</h3>`
			`<div class="outline-text-3" id="text-orgedd80af">`
secret wiki 2023-05-25 17:39:20 +01:00			`</div>`
secretwiki 2023-05-30 14:37:22 +01:00			`<div id="outline-container-orgf146da2" class="outline-4">`
			`<h4 id="orgf146da2">Router</h4>`
			`<div class="outline-text-4" id="text-orgf146da2">`
secret wiki 2023-05-25 17:39:20 +01:00			`<p>`
			`Let's break down the router configuration into two parts: port forwarding (NAT) and blocked ports, protocols, and routes.`
			`</p>`

			`<p>`
			`Port forwarding allows incoming connections from the internet to be redirected`
			`to specific devices or services on your local network. This is typically done`
			`using Network Address Translation (NAT) in the router configuration. NAT is`
			`responsible for translating the IP addresses and ports of incoming packets to`
			`the appropriate internal IP addresses and ports.`
			`</p>`

			`<p>`
			`We use iptables is used to configure the port forwarding rules. The iptables`
			`command, specifically in the nat table (-t nat), is used to set up the rules`
			`that define which incoming ports should be forwarded to which internal IP`
			`addresses and ports.`
			`</p>`

			`<pre class="example">`
			`# iptables -t nat -L -n`
			`# 10.0.1.3 is the client that hosts the main webserver with the reverse proxy`
			`Chain PREROUTING (policy ACCEPT)`
			`target prot opt source destination`
			`DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.1.3:80`
			`DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.1.3:443`

			`Chain INPUT (policy ACCEPT)`
			`target prot opt source destination`

			`Chain OUTPUT (policy ACCEPT)`
			`target prot opt source destination`

			`Chain POSTROUTING (policy ACCEPT)`
			`target prot opt source destination`
			`MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0`
			`</pre>`
			`<p>`
			`Using iptables commands:`
			`</p>`
			`<pre class="example">`
			`iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.0.1.3 -j SNAT --to-source 10.0.1.1`
			`iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.3`
			`iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`
			`iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`
			`iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT`
			`</pre>`
			`<p>`
			`Let's explain this as a list:`
			`</p>`
			`<ol class="org-ol">`
			`<li>add a rule to the NAT table (-t nat). It specifies that`
			`outgoing TCP traffic (-p tcp) with a destination port of 80 (–dport 80) and`
			`a destination IP address of 10.0.1.3 (-d 10.0.1.3) should be SNAT (Source`
			`Network Address Translation) translated. The source IP address is changed to`
			`10.0.1.1 (–to-source 10.0.1.1). This rule is typically used to rewrite the`
			`source IP address of outgoing traffic to appear as if it's coming from the`
			`router itself</li>`
			`<li>add a rule to the PREROUTING chain of the NAT table. It`
			`specifies that incoming TCP traffic (-p tcp) with a destination port of 80`
			`(–dport 80) coming from the eth0 interface (-i eth0) should be DNAT`
			`(Destination Network Address Translation) translated. The destination IP`
			`address is changed to 10.0.1.3 (–to-destination 10.0.1.3). This rule is used`
			`to forward incoming traffic from port 80 to the specified internal IP`
			`address</li>`
			`<li>add a rule to the FORWARD chain. It allows traffic from`
			`eth1 interface (-i eth1) to eth0 interface (-o eth0) that is already`
			`established or related (-m conntrack –ctstate ESTABLISHED,RELATED). This`
			`rule is used to permit incoming responses or related traffic for connections`
			`initiated from the internal network</li>`
			`<li>add a rule to the FORWARD chain. It allows traffic from eth0 interface (-i`
			`eth0) to eth1 interface (-o eth1) that is already established or related (-m`
			`conntrack –ctstate ESTABLISHED,RELATED). This rule is used to permit`
			`incoming responses or related traffic for connections initiated from the`
			`external network.</li>`
			`<li>add a rule to the FORWARD chain. It allows incoming TCP traffic (-p tcp –syn`
			`–dport 80) from eth0 interface to eth1 interface that is in a NEW state (-m`
			`conntrack –ctstate NEW). This rule is used to permit incoming new TCP`
			`connections to port 80 on the internal network.</li>`
			`</ol>`


			`<p>`
			`Alongside port forwarding, we need to block certain ports, protocols, or routes`
			`to enhance security or control network traffic. This is where ufw (Uncomplicated`
			`Firewall) comes into play.`
			`</p>`
			`<pre class="example">`
			`To Action From`
			`-- ------ ----`
			`23185 ALLOW IN Anywhere`
			`22 ALLOW IN Anywhere`
			`1:65535/tcp on eth1 ALLOW IN Anywhere`
			`1:65535/udp on eth1 ALLOW IN Anywhere`
			`1:65535/tcp on eth2 ALLOW IN Anywhere`
			`1:65535/udp on eth2 ALLOW IN Anywhere`
			`1:65535/tcp on lezzonet ALLOW IN Anywhere`
			`1:65535/udp on lezzonet ALLOW IN Anywhere`
			`</pre>`
			`<p>`
			`We use the default rules of ufw for the firewall and in addition we allow all`
			`traffic on the two lan interfaces eth1 and eth2 and the wireguard interface`
			`lezzonet. We also allow the ssh protocol and traffic into the wireguard port 23185.`
			`</p>`
			`</div>`
			`</div>`
secretwiki 2023-05-30 14:37:22 +01:00			`<div id="outline-container-org75e3150" class="outline-4">`
			`<h4 id="org75e3150">Clients</h4>`
			`<div class="outline-text-4" id="text-org75e3150">`
secret wiki 2023-05-25 17:39:20 +01:00			`<p>`
			`The piracy machine is the only one directly exposed to the network because of`
			`the vpn. This is the ufw configuration:`
			`</p>`
			`<pre class="example">`
			`# ufw status numbered`
			`Status: active`

			`To Action From`
			`-- ------ ----`
			`[ 1] Anywhere on eth0 ALLOW IN Anywhere`
			`[ 2] Anywhere ALLOW OUT Anywhere on eth0 (out)`
			`[ 3] 11000:12000/tcp ALLOW IN Anywhere`
			`[ 4] 11000:12000/udp ALLOW IN Anywhere`
			`</pre>`
			`<p>`
			`Basically open every port from 11000 to 12000 and have programs listen on those`
			`ports. In addition to that, the main client that is Transmission is very hungry`
			`so I rate limited it using its own configuration options.`
			`</p>`

			`<p>`
			`Some example commands:`
			`</p>`
			`<pre class="example">`
			`ufw allow from any to any port 23185`
			`ufw allow ssh`
			`ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto udb`
			`ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto tcp`
			`</pre>`
			`</div>`
			`</div>`
			`</div>`
			`</div>`
			`</div>`
			`<div id="postamble" class="status">`
			`<p class="author">Author: bparodi</p>`
secretwiki 2023-05-30 14:37:22 +01:00			`<p class="date">Created: 2023-05-30 Tue 15:37</p>`
secret wiki 2023-05-25 17:39:20 +01:00			`<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>`
			`</div>`
			`</body>`
			`</html>`